Data Retention Periods by Sector: How Long to Keep Personal Data in HR, Retail and Accounting
How long must you keep personal data in HR, retail, or accounting? Sector-specific retention periods based on GDPR and Dutch statutory law.
GDPR
38 articles
The GDPR applies to every business that handles personal data. If you have customers, employees, or a website, that includes you. Compliance doesn't have to be overwhelming, though. This category collects practical guides, checklists, and explainers that help SMBs tackle GDPR requirements one step at a time.
How long must you keep personal data in HR, retail, or accounting? Sector-specific retention periods based on GDPR and Dutch statutory law.
The ePrivacy Regulation has been officially abandoned. Current cookie rules remain in force — and the Dutch DPA is enforcing more strictly than ever. Here's what to do now.
Using HubSpot and want to stay GDPR-compliant? Find out where to accept HubSpot's DPA, which sub-processors are in play, and how to log HubSpot in your processing register.
In February 2026, the EDPB published a coordinated review of how 32 supervisory authorities handle erasure requests. The verdict: the same seven failures, everywhere. Here is how to check whether your SMB is making them too.
Your existing GDPR processing register covers 70% of your AI Act obligations. Here is what you can reuse, what is still missing, and how to go from GDPR-compliant to AI Act-ready.
Your GDPR processing register already covers 70% of what the AI Act asks of you. See which fields overlap and how to handle both dossiers in one workflow.
Automated compliance scanners check your cloud settings. That is useful, but it covers a small slice of GDPR. Here is what real compliance requires beyond the technical layer.
The EDPB approved Europrivacy as a transfer safeguard — the first GDPR certification to replace SCCs. What does this mean for your SaaS vendors?
GDPR, AI Act, ePrivacy, NIS2: which EU data protection laws apply to your business? This overview explains which law applies when, in plain language.
The Digital Omnibus may exempt small companies from keeping a processing register. Here are three reasons to maintain it anyway — even if it's no longer required.
Personal data covers more than names and emails. IP addresses, device IDs, and indirect identifiers all count. Read the GDPR definition in plain language.
The Dutch DPA published its 2026 enforcement policy: transparency, dark patterns, and profiling are top priorities. Learn how the escalation ladder works and how to reduce your risk.
Many SMBs fall under both GDPR and the EU AI Act at the same time. This article explains where the two laws overlap, where they differ, and what to do.
Your AI tool scores job applicants, sets customer prices, or assesses loan applications. That triggers GDPR Article 22 and the EU AI Act. Here is what you need to document.
Every compliance checklist says 'document your retention periods.' But how do you actually delete customer data from a CRM your sales team uses every day? This guide shows you how.
GDPR Article 32 requires risk-based security and Article 35 mandates a DPIA for high-risk processing. A practical five-step assessment for SMBs.
When does GDPR require a DPIA — and what must it contain? Practical guide for SMBs with concrete examples, a step-by-step process, and a checklist you can use.
Learn what an AI inventory is, why you need one under the EU AI Act, and how to build one step by step as an SME. With practical template and real-world examples.
GDPR sets rules for business software employees use. Here is how to tackle shadow IT, evaluate tools, and build a software register.
A GDPR audit doesn't have to be complicated. Learn what to check, how to approach it, and how to stay compliant as an SMB. With a practical checklist.
What goes in a data processing agreement under GDPR? The 7 mandatory clauses from Article 28, how to request a DPA from suppliers, and what to do when a vendor refuses.
The 7 most common GDPR mistakes small and medium businesses make. With real enforcement examples and practical steps to fix each one.
Build a GDPR processing register in 7 steps. Real examples for SMBs — audit-ready, Article 30 compliant, and built for client questionnaires.
What encryption does GDPR Article 32 actually require? The exact standards Dutch SMBs must implement: AES-256, TLS 1.2, and full-disk encryption.

All GDPR data subject rights explained, with practical guidance on handling access, erasure, and other GDPR requests within your organisation.

72-hour deadline, regulator notification, data subject letters — this step-by-step GDPR response plan for SMBs covers every action, in the right order, so nothing gets missed.
Complete GDPR checklist for Dutch tech SMBs: governance, DPA agreements, data retention, vendor security, and the evidence you need to pass an AP audit in 2026.
AI tools in every team, but no governance in place? This step-by-step framework covers AI inventory, risk tiers, GDPR checks, and a 14-day rollout plan for EU SMEs.
Learn what legitimate interest means under GDPR, when you can use it as a legal basis, and why a balancing test is essential.
GDPR and ePrivacy apply based on who you serve, not where you are. Learn why respecting EU privacy laws matters even if your company is outside Europe.
B2B cold outreach is still legal under GDPR — if you follow the rules. Here is what ePrivacy allows, where the line is, and how to stay on the right side of it.
Learn when user consent is mandatory under GDPR. Find out why legitimate interest is not enough for sensitive data, tracking, and behavioral advertising.
Learn how to create a GDPR-compliant data retention policy to protect personal data and ensure legal compliance with our step-by-step guide.
Understand GDPR's impact on public data usage and learn why accessing doesn't equal permission for personal information.
Discover how encryption is vital for GDPR compliance and learn practical steps to protect your data from breaches and fines.
NIS2 is the EU's updated cybersecurity directive, enhancing protections for critical infrastructures and ensuring businesses take cybersecurity seriously.
What is a data controller versus a data processor under GDPR? Practical explanation for Dutch SMBs: who is liable, when you need a DPA, and common mistakes to avoid.
Discover why GDPR compliance is essential for businesses and how ComplianceHive simplifies the process, ensuring data protection and efficiency.
Yes. The GDPR applies to any organisation that processes personal data, regardless of size. If you store customer emails, employee records, or website analytics data, you need to comply. There is no small-business exemption.
Common ones: missing or incomplete records of processing activities, outdated privacy policies, and no data processing agreements with vendors. Many small businesses also lack clear retention periods for the data they collect.
Map what personal data you collect, where it is stored, and who can access it. Write that down in a record of processing activities. That inventory becomes the foundation for everything else, from privacy policies to vendor assessments.
From theory to practice — manage your compliance in one platform.